A security vulnerability in Quake II servers allows a remote attacker to gain sensitive information on the remote Quake server by sending it "unprocessed" CVARs causing them to be replaced by the server with their appropriate values.

Details

Vulnerable systems:
Quake II Server versions 3.20 and 3.21

A problem exists in the Quake II server for any OS discovered by 'Redix' that allows server CVARs containing sensitive information to be leaked. By using a modified client that does not locally expand "$" macros, it is possible to send a command such as 'say $rcon_password' to the server. This will then be expanded to reveal the servers rcon password, which can be used to do further attacks, not least of which include viewing the directory structure of the machine via 'rcon dir' and being able to execute any q2 server commands, some of which produce file output.